HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Two national newspapers today included items on targeted advertising, a further indication that online tracking remains a hot topic.  In an article on the front page of the New York Times entitled  "Retargeting Ads Follow Surfers to Other Sites"  the reporters note that "[b]ehavioral targeting has been hotly debated in Washington, and lawmakers are considering various proposals to regulate it."

People have grown accustomed to being tracked online and shown ads for categories of products they have shown interest in, be it tennis or bank loans.

Increasingly, however, the ads tailored to them are for specific products that they have perused online. While the technique, which the ad industry calls personalized retargeting or remarketing, is not new, it is becoming more pervasive as companies like Google and Microsoft have entered the field. And retargeting has reached a level of precision that is leaving consumers with the palpable feeling that they are being watched as they roam the virtual aisles of online stores.

The article quoted an Advertising Age writer who said “If the industry is truly worried about a federally mandated ‘do not track’ list akin to ‘do not call’ for the Internet, they’re not really showing it.”   The Interactive Advertising Bureau (IAB), comprised of more than 460 media and technology companies responsible for selling 86% of online advertising in the United States. disputes that they are not addressing the privacy issues associated with online tracking and targeting, as indicated  here.

A Wall Street Journal opinion piece by Emory University Economics Professor Paul Rubin paints a very different picture from the New York Times article.  The piece is entitled "Ten Fallacies About Web Privacy" and in summary form, here is Professor Rubin's list of privacy fallacies with excerpts of why he thinks the propositions are false. 

1) Privacy is free...  The more privacy consumers have, the less information is available for use in the economy. Since information helps markets work better, the cost of privacy is less efficient markets...

2) If there are costs of privacy, they are borne by companies... [C]onsumers get tremendous benefits from the use of information [and bear a cost from regulations designed to protect their privacy]...

3) If consumers have less control over information, then firms must gain and consumers must lose...  [W]hen information is used for other purposes—for example, in credit rating—then the cost of credit for all consumers will decrease...

4) Information use is "all or nothing." ... [S]ervices will be lower-quality and less valuable to consumers as information use is more restricted...

5) If consumers have less privacy, then someone will know things about them that they may want to keep secret....  [W]e are not used to the concept that something can be known and at the same time no person knows it. But this is true of much online information...

6) Information can be used for price discrimination (differential pricing), which will harm consumers.  [If] price discrimination makes it possible for firms to provide goods and services that would otherwise not be available (which is common for virtual goods and services such as software, including cell phone apps) then consumers unambiguously benefit...

7) If consumers knew how information about them was being used, they would be irate.  [C]onsumers don't bother to learn about information use on the Web precisely because there is no harm from the way it is used...

8) Increasing privacy leads to greater safety and less risk. The opposite is true....  Think of being called by a credit-card provider and asked a series of questions when using your card in an unfamiliar location, such as on a vacation...

9) Restricting the use of information (such as by mandating consumer "opt-in") will benefit consumers. In fact, since the use of information is generally benign and valuable, policies that lead to less information being used are generally harmful...

 10) Targeted advertising leads people to buy stuff they don't want or need. This belief is inconsistent with the basis of a market economy... 

Clearly, when Congress returns from its recess and the privacy advocacy community returns from vacation, and as the FTC prepares its long-awaited report following a series of privacy roundtables earlier this year, debate over online tracking, self-regulation and the need vel non of government regulation will heat up.

• Email This
• Print
• Share Link

With the new "school year" comes a plethora of privacy events featuring Hogan Lovells attorneys:

On September 9th, the International Association of Privacy Professionals will present this Web Conference on "The Evolution of FTC Privacy Enforcement Actions—What More Granular Enforcement Means for Respondents and Businesses" featuring Hogan Lovells attorneys Chris Wolf and Tim Tobin and FTC Attorney Kandi Parsons.

It is a given that there can be no privacy without data security.  Chief Security Officer magazine is presenting the Security Standard conference on September 13 and 14 at the Marriott Brooklyn Bridge in New York City to explore  the complexities of modern security strategies, addressing identity management, cloud security, data protection, risk management and privacy.  For registration information, click here

Hogan Lovells' Chris Wolf will be presenting the following session on September 13:

Negotiating with Your Cloud Provider:  Standard service agreements don’t go far enough in protecting your data and your organization in the event of security incidents or outages at cloud providers. In this session, learn how to negotiate the right terms and penalties to get the protection you need from your cloud provider, from identity management to business continuity, incident response plans and more.

On September 14th, Pike & Fischer (a BNA company) will present this Web Conference entitled "Legal Landmines in Europe for Internet-Based Businesses" and featuring Hogan Lovells attorneys from our Paris Office David Taylor, Winston Maxwell, and Chris Wolf from Washington, DC, as well as Google's Global Privacy Counsel Peter Fleischer.

On September 21st, Hogan Lovells will present a complimentary webinar on NAFTA Privacy featuring top governmental privacy officials from Canada, US, and Mexico, as well as the Chief Privacy Leader of General Electric, and moderated by Hogan Lovells' Chris Wolf.   More information can be found here  To register, please click here.

And later in September....

You are invited to join Hogan Lovells at the upcoming Online Trust Alliance 5^th Anniversary "Online Trust & Cybersecurity Forum" being hosted at Georgetown University, September 22 to 24.  Of particular interest on Wednesday the 22d are three pre-conference workshops focusing on(1) email regulatory compliance, (2)  email and domain authentication, and (3) malvertising.  More information on the agenda and registration information are posted here .

Thursday keynotes include the US Secretary of Commerce Gary Locke, Greg Link of CoveyLink, Howard Schmidt (White House Cybersecurity Coordinator) and Randall Rothenberg (IAB) as well as dozens of other business and industry leaders.  Friday Representative Cliff Stearns is speaking and kicking off a privacy roundtable following by sessions on data breach remediation, identity management and privacy policy makeovers.

At the September 24th session, Christopher Wolf of Hogan Lovells will participate in this panel:

Data Breach & ID Theft; Detection & Remediation *
Despite increased security prevention investments and employee training, incidents of data loss are increasing. Companies need to pro-actively plan for the worst case understanding the focus is not if an event will occur, but when. An effective plan includes an orchestrated play book to be deployed on moment’s notice. This session will examine steps businesses can take to protect consumers and their brands by reviewing elements of an effective plan including consumer education.  Session will also examine the role consumers have in the chain of trust and steps they can take to protect their identity.

• Chris Shenefelt, Executive Vice President, Global Operations, Intersections Inc.

• Anne Wallace, President, Identity Theft Assistance Corporation

• Christopher Wolf, Director, Privacy & Information Management Practice, Hogan Lovells

OTA has offered readers of the Hogan Lovells Blog the opportunity to register by August 31^st for only $399.50 for the two day program and save 50%.  Use discount code Hogan50  Register at https://otalliance.org/dc.html

AMP Summit is "an annual forum for influentials and thought leaders in the activist, media and political spheres."   Public officials and regulators, experts from think tanks, trade associations, and public relations, and members of the media will attend. This conference in Washingrton at the Marriott Metro Center "is intended to inspire new thinking, challenge traditional strategies, and create opportunities to learn from each other."   Detailed information can be found here .

Chris Wolf from Hogan Lovells will participate on a panel on Friday, September 24th from 3:50 to 5 PM entitled "Privacy in the Internet Age: Does DC Have a Role to Play?" with Lillie Coney of the Electronic Privacy Information Center and  Berin Szoka of the Progress and Freedom Foundation, moderated by Bruce Mehlman of Mehlman, Vogel, Catagnetti.

Also, as shown here, Quentin Archer from the Hogan Lovells London Office will be co-chairing the Sedona Conference International Programme on Cross-Border E-Discovery and Privacy on 15 and 16 September in Washington, DC.

• Email This
• Print
• Share Link

With much of the privacy regulatory and policy world on vacation, I took a few days outside of Washington to hear what people are thinking about where privacy law is going.  I have just returned from "Geek Week" in Seattle, WA, where I particiated in a new program entitled "pii2010" which "explore[d] the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models. Hosted by technology analyst Larry Magid, it [was] an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders [came] together as a group to examine critical issues.  "Lively" doesn't beging to describe the event, with audience members intervening at will and peppering the panelists with questions and "colorful" comments,  It was a little like a blog come to life.  One major take-away:  there are widely divergent views on the role of government and regulation in protecting online privacy. 

Washington Internet Daily provided a report of the event and my participation, a small excerpt of which is here:

Rumors of the death of the notice-and-choice privacy framework have been greatly exaggerated.Despite regular declarations from FTC officials over the past several months that the framework needs to be replaced, privacy advocates speaking to the pii2010 conference Thursday gave every indication that won't happen.

"For better or worse, we are stuck with a notice-and-choice paradigm" and must work within it, said Christopher Wolf, co-chairman of the Future of Privacy Forum. "I don't see how you get rid of choice," said Fran Maier, president of TRUSTe.  The likelihood of any privacy bill passing this year is "virtually nonexistent," and if Republicans retake at least one house of Congress in the midterm elections, it drops, Wolf said. The bills offered by Reps. Bobby Rush, D-Ill., and Rick Boucher, D-Va., chairmen of the House Commerce Consumer Protection and Communications subcommittees, are "incredibly complex," Wolf said. "I just see enormous wrangling" over their provisions from industry and activists. The bills have been helpful to "start conversation" with stakeholders, though, Maier said.

 

More likely is faster development of "common law" by the FTC, which has "really gotten into the weeds" on privacy-related issues, especially data security, said Wolf, who represents clients before the commission. The parties targeted in FTC investigations rarely put up much of a fight, as exemplified by Sears' conceding that its tracking software installed on customers' computers crossed the line, he said: There's no reason to think the commission will go easier on privacy disputes.

 

The Future of Privacy Forum is "trying to proselytize" for better self-regulation by industry, as with the "Power-I" icon being tested in online ads, but not trying to halt privacy legislation that gives companies a safe harbor for following best practices, Wolf said. The forum is running a "privacy papers for policymakers" competition whose winners will be announced Sept. 15 at a George Washington University law school event with David Vladeck, director of the FTC Consumer Protection Bureau, he said.

 

• Email This
• Print
• Share Link

On July 27th, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced settlements with Rite Aid Corporation for the improper disposal of personal information -- including prescriptions and labeled pill bottles containing identifiable information about Rite Aid customers, and employment applications -- in publicly accessible dumpsters behind Rite Aid stores in a number of cities across the country.  In addition to improperly disposing of personal information, HHS and the FTC also claimed that Rite Aid failed to:

• implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal;
• adequately train employees to dispose securely of such information;
• use reasonable measures to assess compliance with its established policies and procedures for disposing such information; and
• employ a reasonable process for discovering and remedying risks to such information.

Under the HHS resolution agreement, Rite Aid agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule.  Rite Aid also agreed to distribute policies and procedures for protecting protected health information (such as the patient information improperly disposed in this case), train employees on the policies and procedures, monitor for violations, sanction employees who commit violations, and hire a third-party auditor to conduct periodic compliance reviews.  The HHS resolution agreement applies for three years.

In its consent order, the FTC accused Rite Aid of committing both unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  Specifically, the FTC claimed that Rite Aid committed unfair trade practices when it failed to employ reasonable and appropriate measures to prevent unauthorized access to the personal information, and committed deceptive trade practices when it recklessly disposed of customers' health information despite making claims it would responsibly protect such information. 

In addition to the penalties imposed by HHS, the FTC ordered Rite Aid to cease misrepresenting its information security practices to consumers, establish a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers and employees, and obtain biannual audits of its information security program for the next 20 years.

These settlements were similar to those imposed on CVS Caremark in February of 2009, which also stemmed from a joint investigation of the HHS and the FTC into reports of improperly disposed patient and employee information into publicly accessible dumpsters.  While many of the procedural requirements of the settlements are similar, in that case HHS required CVS Caremark to pay $2.25 million to settle the charges.

These cases reaffirm the agencies' commitment to investigating and punishing improper data disposal practices, especially in light of high-profile media reports discovering sensitive consumer information in dumpsters and boxes left by the side of the road.  In order to avoid these types of high-profile investigations, organizations should implement and enforce data retention policies and always destroy sensitive customer and employee data prior to disposal.

• Email This
• Print
• Share Link

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print
• Share Link

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

• Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
• Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
• Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
• Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
• Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
• Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
• Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
• Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
• Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
• Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
• Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

• Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
• The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
• Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

• Email This
• Print
• Share Link

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

• Email This
• Print
• Share Link

The Department of Health and Human Services (HHS) introduced sweeping changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Enforcement Rules in its Notice of Proposed Rulemaking issued on July 8. 

Some of the major changes introduced under the Proposed Rule include:

·         Business Associates and Business Associate Agreements— HHS modifies the current definition of business associates to explicitly include several new entities, most importantly sub-contractors who create, receive or transmit protected health information (PHI) on behalf of business associates. Subcontractors who meet this criterion are now business associates and consequently required to enter into business associate agreements with business associates and subject to direct liability under the HIPAA Rules.

The Proposed Rule also makes a number of modifications to the business associate agreement contractual requirements, including (but not limited to) requiring that business associate agreements include language that require business associates to report breaches of unsecured PHI to covered entities, and to the extent a business associate is carrying out any covered entity Privacy Rule obligations, comply with the relevant Privacy Rule requirements that apply to the covered entity.

The Proposed Rule proposes a one year transition period for compliance with the new business associate agreement requirements for certain existing contracts. 

·         Security Rule— The Proposed Rule makes § 164.306 of the Security Rule, which sets out general rules that apply to all standards and implementation sections of the Security Rule, apply to business associates. HHS also introduces several other changes to the Security Rule with respect to business associates in the Proposed Rule.

·         Marketing— HHS proposes significant, complex revisions to the exceptions to the definition of “marketing” and solicits comments on a number of its proposals, including the distinction it draws in the Proposed Rule between treatment and health care operations communications.

• Email This
• Print
• Share Link